Skipfish

Right after we wrapped up that chapter, Google released their own security testing tool - Skipfish. Well, there are many tools out there, but why one more?

It has its own advantages - the one that I like is "high performance":"2000+ requests per second on LAN / MAN networks, and 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint."

Such high performance tools can help accelerate automated security testing activities during the test phase of the SDLC.

2 comments:

I think you need to really pour over the skipfish source code and documentation, and while you are at it, check out the following other source code and/or documentation as well:1) Burp Suite Spider2) Netsparker Community Edition crawl-only mode3) Nikto, most recent version including plugins4) Websecurify, including recent command-line mode5) w3af webSpider plugin

I think skipfish is only useful when you don't let it write a report, run it through ratproxy (which is also pointing to dev-null), and make sure that you patched ratproxy with the Metasploit WMAP patches so that you can feed the SQLite3 database to Metasploit WMAP especially sqlmap. Otherwise, skipfish, ratproxy, and Metasploit WMAP by themselves are pretty useless. This sort of tool chaining makes my head spin a bit too much though.

I also think that skipfish would be good in combo with Fortify PTA if you have a very large web application with just literally tons of things to crawl. The crawler in skipfish is not terrible considering how fast it is (note: it is much better than Burp Spider, Websecurify, and Nikto let alone a few commercial scanners -- and it's almost as good as the crawler in w3af). The report that skipfish produces, in summary, leaves a lot to be desired. Some of the options in skipfish need to be tuned so that it doesn't go crazy trying to find things that are not there, and so that it does try to find things more completely without having to be re-run.

There are some benefits to running any of these scanners through tools like ratproxy, especially when they are explicitly configured for a specific site, in order to detect cross-domain issues. Ratproxy, Watcher, and x5s are particularly awesome in this regard for pivoting XSS and potentially even CSRF vulnerabilities. They also call out externally sourced scripts, but Burp Scanner will do this in a much more reportable manner.

I don't believe that any scanner is useful for point-and-shoot, but this is especially true of skipfish.